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1.SRX Series device enrollment with Policy Enforcer fails To debug further, the user 
issues the following commandshow configuration services security?intelligence url 
https://cloudfeeds.argon.juniperaecurity.net/api/manifeat.xml 

and receives the following output: 

What is the problem in this scenario? 

A. The device is directly enrolled with Juniper ATP Cloud. 

B. The device is already enrolled with Policy Enforcer. 

C. The SRX Series device does not have a valid license. 

D. Junos Space does not have matching schema based on the 

Answer: C 


2.You are asked to deploy filter-based forwarding on your SRX Series gevice for 
incoming traffic sourced from the 10.10 100 0/24 network in this sceyário, which three 
statements are correct? (Choose three.) & 
A. You must create a forwarding-type routing instance. S 
B. You must create and apply a firewall filter that matches gr'ihe source address 
10.10.100.0/24 and then sends this traffic to your routings® 
C. You must create and apply a firewall filter that ma ches on the destination address 
10 10.100.0/24 and then sends this traffic to your reting instance. 
D. You must create a RIB group that adds interfa&e routes to your routing instance. 
E. You must create a VRF-type routing instartêb. 
Answer: ABD WA 
"a 
3. You are asked to provide single-Sign-on (SSO) to Juniper ATP Cloud. 
Which two steps accomplish ihjê goal? (Choose two.) 
A. Configure Microsoft Azugfás the service provider (SP). 
B. Configure Microsoft Zote as the identity provider (IdP). 
C. Configure Juniper Cloud as the service provider (SP). 
D. Configure JunipgPATP Cloud as the identity provider (IdP). 


Answer: B C 9? 
oe 


4.You want to identify potential threats within SSL-encrypted sessions without 
requiring SSL proxy to decrypt the session contents. 

Which security feature achieves this objective? 

A. infected host feeds 

B. encrypted traffic insights 

C. DNS security 

D. Secure Web Proxy 

Answer: B 
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CURRENT THREATS (Aug! 16, 2022 - Present) 


Event Time Status Description 

Aug 17, 2022 1252 PM 1]. Encrypted tratfic insigins d Encrypted Troffic insights detected host connecting co 203;0113;7 (permit) 
Aug 17, 2022 12:44PM 1] cc hk Host attempted to contact à CAC server at 203.0.113 7 (block). 

Aug 17, 2022 17:44 PI^ 1] CC hic Host attempted to contact a C&C server ot 203.0.1 13.7 (block). 

Aug 17, 2022 1:22 AM *] Encrypted traffic insights d Encrypted Traffic insights detected host connecting to 203.0.113.7 (permit) 


Aug 17, 2022 1:21 AM U Encrypted traic insights d. Encrypted Traffic insights detected host connecting to 203.0.113;7 (permit). 


4? 

You are using ATP Cloud and noties that there is a host with a high number of ETI 
and C&C hits sourced from thegame investigation and notice that some of the events 
have not been automatically Ñitigated. 

Referring to the exhibit, wrat is a reason for this behavior? 

A. The C&C events ar®false positives. 

B. The infected host$core is globally set bellow a threat level of 5. 

C. The infected hêbt score is globally set above a threat level of 5. 

D. The ETI evis are false positives. 

Answer: D 


6.Exhibit 


user@srx> show security flow session family inet6 
Flow Sessions on FPC10 PICI: | | il 
Session ID: 410000066, Policy name: default-policy-00/2, Timeout: 2, Valid 
In: 2001:dbf8::6:2/3 > 2001:dbf8:5::2/7214;icmp6, If: ge-7/1/0.0, Pkts: 1, 
Bytes: 104, CP Session ID: 410000076 
Qut: 2001:dbf8:5::2/7214 --7»/2001:dbf8:5::2/323;icmp6, If: .local..0, Pkts: I, 
Bytes: 104, CP Session ID: 410000076 
Session ID: 410000068, Policy name: default-policy-00/2, Timeout: 2, Valid 
In: 2001:dbf8::6:2/4 —-»/|2001:db£8:5::2/7214;icmp6, If: ge-7/1/0.0, Pkts: T, 
Bytes: 104, CP Session ED: 410000077 
Out: 2001:dbf8:5::2/7214 [==> 2001:dbf8::6:2/4;icmp6, If: .local..0, Pkts: I1, 
Bytes: 104, CP Session ID: 410000077 


Total sessions: 2 


Which statement is true about the output shown in the exhibit? 
A. The SRX Series device is configured with default security forwarding options. 
B. The SRX Series device is configured with packet-based IPv6 forwaftling options. 


C. The SRX Series device is configured with flow-based IPv6 for ing options. 
D. The SRX Series device is configured to disable IPv6 pace yaivarding, 
Answer: A > 
BS 
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You are implementing filter-based forwarding to send traffic from the 172.25.0.0/24 


network through ISP-1 while sending all other traffic through your connection to ISP-2. 


Your ge-0/0/1 interface connects to two networks, including the 172.25.0.0/24 
network. You have implemented the configuration shown in the exhibit. The traffic 
from the 172.25.0.0/24 network is being forwarded as expected to 172.20.0.2, 
however traffic from the other network (172.25.1.0/24) is not being forwarded to the 
upstream 172.21.0.2 neighbor. 

In this scenario, which action will solve this problem? 

A. You must specify that the 172.25.1.1/24 IP address is the primary address on the 
ge-0/0/1 interface. 

B. You must apply the firewall filter to the loO interface when using filter-based 
forwarding. 

C. You must add another term to the firewall filter to accept the traffic from the 
172.25.1.0/24 network. 

D. You must create the static default route to neighbor 172.21 0.2 under the ISP-1 


TRE ; 2 
routing instance hierarchy. «e 
Answer: D ae 

o? 
S 
e 
8.Exhibit eS 
y 
: eA 

May 23 05:20:34 Vendor-Id: O Attribute Type:Reply-Message(18) Value:string-type 
Length:36 
May 23 05:20:34 authd radius parse message:generic-type:18 
May 23 05:20:34 Vendor-Id: O Attribute Type:Reply-Message(18) Value:string-type 
Length:15 
May 23 05:20:34 authd radius parse message:generic-type:18 


May 23 05:20:34 Framework - module (radius) return: FAILURE 

e 
You configure a traceoptions file.c&lled radius on your returns the output shown in the 
exhibit e 
What is the source of the blem? 
A. An incorrect passworg€s being used. 
B. The authentication Stder is misconfigured. 
C. The RADIUS sewer IP address is unreachable. 
D. The RADIUS gerver suffered a hardware failure. 
Answer: D 


9.Your Source NAT implementation uses an address pool that contains multiple IPv4 
addresses Your users report that when they establish more than one session with an 
external application, they are prompted to authenticate multiple times External hosts 
must not be able to establish sessions with internal network hosts 

What will solve this problem? 

A. Disable PAT. 

B. Enable destination NAT. 

C. Enable persistent NAT 


D. Enable address persistence. 
Answer: C 


10.What is the purpose of the Switch Microservice of Policy Enforcer? 
A. to isolate infected hosts 

B. to enroll SRX Series devices with Juniper ATP Cloud 

C. to inspect traffic for malware 

D. to synchronize security policies to SRX Series devices 

Answer: A 
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Referring to the exhibit, which statement is true? 
A. This custom block list feed will be used before the Juniper Seclntel 


B. This custom block list feed cannot be saved if the Juniper Seclntel block list feed is 
configured. 

C. This custom block list feed will be used instead of the Juniper Secintel block list 
feed 

D. This custom block list feed will be used after the Juniper Seclntel block list feed. 
Answer: D 


12. Exhibit 


Aug 1 11:28:23 11:28:23.434801:CID-O0: THREAD! ID-Ol1:RT:«172.20.101.10/590059- 
»10.0.1.129/22;6,0x0» matched filter TestPilter: 

Aug 1 11:28:23 11:28:23.434805:CID-0:THRBAD|!TID-0l:RT:packet [64] ipid = 36644, 
GOxef3edece 


Aug 1 11:28:23 11:28:23.434810:CID-70:THREAD!ID-7OI:RT:---- flow process pkt: 
(thd 1): flow ctxt type 15, common f£lag|/0xO0;/mbouf/0x69185800, rtbl idx = 0 

Aug 1 11:28:23 11:28:23.434817:CID-0:THREAD|ID-021:RT:ge-0/0/4.0: 

172.20.101.10/59009-»10.0.1.129/22,! tcp, flag 2 syn 

Aug 1 11:28:23 11:28:23.434819:CID-O:THREAD ID-O1:RT:find flow: table 

0x206a60a0, hash 43106(0xffff), sa 172.20.101.10, da 10.0.1.129, sp 59009, dp 

<<, c to 2 nn-tag < | 

Aug 11:2 11:28:23 22 IREAD T sessi start 
pomme t tunne 4 

Aug i é SA 4 

A 


The exhibit shows a snippet of asecurity flow trace. 

In this scenario, which two staféments are correct? (Choose two.) 

A. This packet arrived on aka ge-0/0/4.0. 

B. Destination NAT oc 

C. The capture is aget from the source address 172.20.101.10 destined to 
10.0.1.129. 

D. An existing aS ioni is found in the table. 

Answer: C,D 


13.Regarding IPsec CoS-based VPNs, what is the number of IPsec SAs associated 
with a peer based upon? 

A. The number of traffic selectors configured for the VPN. 

B. The number of CoS queues configured for the VPN. 

C. The number of classifiers configured for the VPN. 

D. The number of forwarding classes configured for the VPN. 

Answer: A 
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You are trying to configure an IPsec tunnel between SRX Series devices in the 
corporate office and branch1. You have committed the configuration shown in the 
exhibit, but the IPsec tunnel is not establishing. 

In this scenario, what would solve this problem. 


A. Add multipoint to the st0.0 interface configuration on the branch1 device. 

B. Change the IKE proposal-set to compatible on the branch1 and corporate devices. 
C. Change the local identity to inet advpn on the branch1 device. 

D. Change the IKE mode to aggressive on the branch1 and corporate devices. 
Answer: C 


15.You want to configure a threat prevention policy. 

Which three profiles are configurable in this scenario? (Choose three.) 
A. device profile 

B. SSL proxy profile 

C. infected host profile 


D. C&C profile e 
E. malware profile d 
Answer: DCE e 
o 
$ 
dé 


16. You are asked to detect domain generation algorithms? 
Which two steps will accomplish this goal on an SRX Séries firewall? (Choose two.) 
A. Define an advanced-anti-malware policy under [edit services]. 
B. Attach the security-metadata-streaming policyto a security 
C. Define a security-metadata-streaming poliey under [edit 
D. Attach the advanced-anti-malware polig o a security policy. 
Answer: A,D e 
e 

.ce 
17.You are deploying a virtualization solution with the security devices in your network 
Each SRX Series device must support at least 100 virtualized instances and each 
virtualized instance mus ave its own discrete administrative domain. 
In this scenario, whichssolution would you choose? 
A. VRF instances „e 
B. virtual router igStances 
C. logical systems 
D. tenant systems 
Answer: C 


18.Exhibit 


203.0.113.1/24 
ge-0/0/0 


You configure Source NAT using a pool of addresses that are in the same subnet 
range as the external ge-0/0/0 interface on your vSRX device. Traffic that is exiting 
the internal network can reach external destinations, but the return traffic is being 
dropped by the service provider router. 


Referring to the exhibit, what must be enabled on the vSRX device to solve this 
problem? 


A. STUN 

B. Proxy ARP 

C. Persistent NAT 
D. DNS Doctoring 
Answer: D 


19. Exhibit © 


(edit tenants TSYS1 security) 
user@Gsrx# show 

log { 

mode stream; 

stream TNI s format binary host 10.3.54.22 
source address 10.3.45.66 

transport protocol tls 


) 


[edit system security-profile p1] 


usermsrx£$ show 
security-log-stream-number reserved 1 


security-log-stream-number maximum 2 


An administrator wants to configure an SRX Series device to log binary security 
events for tenant systems. 

Referring to the exhibit, which statement would complete the configuration? 

A. Configure the tenant as TSYS1 for the pi security profile. 

B. Configure the tenant as root for the pi security profile. 

C. Configure the tenant as master for the pi security profile. 

D. Configure the tenant as local for the pi security profile 

Answer: B 


20.Your company wants to use the Juniper Seclntel feeds to block access to known 
command and control servers, but they do not want to use Security Director to 
manage the feeds. 

Which two Juniper devices work in this situation? (Choose two) 

A. EX Series devices 

B. MX Series devices 

C. SRX Series devices 

D. QFX Series devices 

Answer: B C 


21.Your IPsec VPN configuration uses two CoS forwarding casses separate voice 
and data traffic. 

How many IKE security associations are required between ingssec peers in this 
scenario? e 

A. 1 Sj 

B.3 Ed 

C.4 p" 

D. 2 SL 

Answer: A CH 


e 
‘hi 2 
22.Exhibit «c 


[edit security policies from-zone trust //torzone/juntrust policy Adaptive-Threat- 
Profiling] | | 
userGSRX-1£$ show 
match. ( 

source-address any; 

destination-address any; 

application: any; 

dynamic-application (/junos:web:proxy junos:web:anonymizer junos:TOR.]; 
} 
then { 

reject ( 

applicationmsexvices) { 
security-intelligence { 
add-destination-ip-to-feed | 


Proxy. Nodes; 


Referring to the exhibit, which two statements are true? (Choose two.) 

A. The SRX-1 device can use the Proxy Nodes feed in another security policy. 
B. You can use the Proxy_Nodes feed as the source-address and destination- 
address match criteria of another security policy on a different SRX Series device. 


C. The SRX-1 device creates the Proxy_wodes feed, so it cannot use it in another 
security policy. 

D. You can only use the Proxy_Node3 feed as the destination-address match criteria 
of another security policy on a different SRX Series device. 

Answer: A,C 


23.You are connecting two remote sites to your corporate headquarters site. You must 
ensure that all traffic is secured and sent directly between sites In this scenario, which 
VPN should be used? 

A. IPsec ADVPN 

B. hub-and-spoke IPsec VPN 


C. Layer 2 VPN ¢ 
D. full mesh Layer 3 VPN with EBGP d 
Answer: A e 
SS 
> 
24.All interfaces involved in transparent mode are contigy¥ed with which protocol 
family? 3 
Ae 
A. mpls 2 
B. bridge e 
| > 
C. inet e 
D. ethernet ? switching c? 
Answer: B S 
«t 
<’ 
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userGsrx» show log flow-log TH 

Apr 13 17:46:17 17:46:17.316930:CID-0: THREAD! ID-01:RT:«10.10.101.10/65131— 
»10.10.102.1/22;6,0x0» matched filter F1: 

Apr 13 17:46:17 17:46:17.317009:CID-0O:THREAD|ID-01:RT: routed (x dst ip 
10.10.102.1) from trust (ge-0/0/4.0 in| 0) to!/ge-0/0/5.0, Next-hop: 10.10.102.1 | 

Apr 13 17:46:17 17:46:17.317016:CID-0:THREAD|ID- | 
Oi:RT: flow first policy search: policy|search|from|zone trust-> zone dmz 

(0x0, 0xfe6b0016,0x16) 

Apr 13 17:46:17 17:46:17.317019:CID-O:THREAD|ID-O1:RT:POlicy lkup: vsys O 
zone(8:trust) -> zone(9:dmz) scope:0O 

Apr 13 17:46:17 17:46:17.317020:CID-0:7HREAD'ID-7021:RT: 10.10.101.10/65131 -> 
10.10.102.1/22 proto 6 

Apr 13 17:46:17 17:46:17.317031:CrD-0: THREAD! ID-01:RT:| permitted by policy 
rust-to-dmz(8) 

Apr 13 17:46:17 17:46:17.317031:CID-0:THREAD ID-01:RT: packet passed, 

Permitted by policy. 

Apr 13 17:46:17 17:46:17.317038:CID-O:THREAD ID-01:RT: choose interface ge- 
0/0/5.0(P2P) as outgo 

Apr 13 17:46:17 17:46:17.317042:C1D-0:THREAD ID-01:RT:is loop pak: Found loop 


on ifp ge-0/0/5.0, addr: 10.10.102.1, rtt idx: 0 addr type:Ox3. 

Apr 13 17:46:17 17:46:17.317044:CID-0:7THREAD ID- 

01:RT:flow first loopback check: Setting interface: ge-0/0/5.0 as loop if 
Apr 13 17 46:17 17:46:17.317213;CID: O:THREAD ID-O01:RT7: 

flow first create session 

Apr 13 17:46:17 17:46:17.217219:CID-O:THREAD ID-701:RT: flow first in dst nat: 


0/0/5.0 as incoming nat if. 

call flow route lookup(): src ip 10.10.2012.10;/ xi adst ip 10.10.102.1, in ifp 

ge-0/0/5.0, out ifp N/A sp 65131, dp 22, ipl proto. 6, tos 0 

Apr 13 17:46:17 17:46:17.317227:CID-0: THREAD ID-O1:RT: routed (x dst ip 

10.10.102.1) from dmz: (ge-0/0/5.0 in 0) to/.Xocal..0, Next-hop: 10.10.102.1 

Apr 13 17:46:17 17:46:17.317228:CID-0:THREAD ID- 

O1:RT:flow fi icy search: policy search frcm zone dmz-> zone junos-host 

(0x0, O0Oxfe6b00 ) 
6:17.317230:CID-O:THREAD ID-01:RT:Policy lkup: vsys 0 

2:junos-host) scope:0 


17:46:17.317230:CID-O:THREAD ID-O1:RT: 10.10.101.10/65131 -> 


1 1 4 
10.10.102.1/22 proto 6 
Apr 13 17:46:17 17:46:17.317236:CID-0:THREAD ID-01:RT: packet dropped, denied i 
by policy | 
Apr 13 17:46:17 17:46:17.317237:CID-O:THREAD IDr-01:RT: denied by policy deny- 


2:THREAD_IDrOL: RT: packet dropped, policy 


You are using traceoptions to verify NAT session information on your SRX Series 
device. 

Referring to the exhibit, which two statements are correct? (Choose two.) 

A. This is the last packet in the session. 

B. The SRX Series device is performing both source and destination NAT on this 
session. 

C. This is the first packet in the session. 

D. The SRX Series device is performing only source NAT on this session. 
Answer: A,B 


26.You are asked to determine if the 203.0.113.5 IP address has been added to the 
third-party security feed, DS hield, from Juniper Seclnte1. You have an SRX Series 
device that is using Seclnte1 feeds from Juniper ATP Cloud 

Which command will return this information? 

A. show security dynamic?address category?name CC | match 203.0.113.5 

B. show security dynamic?address category?name Infected?Hosts | match 
203.0.113.5 

C. show security dynamic-address category-name IPFilter | match 203.0.113.5 

D. show Security dynamic-address category-name JWAS | match 203.0.113.5 
Answer: D 


27.You want to enroll an SRX Series device with Juniper ATP Appice There is a 


firewall device in the path between the devices. ae 
In this scenario, which port should be opened in the firewall ice? 
A. 8080 a 
B. 443 eU 
S 
C. 80 2 
D. 22 n 
e 
Answer: B c 
Kl 
e? 
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Aug 3 01:28:23 01:28:23. 434861:cz:D-0:THREAD|ID-01:RT: routed) (x dst) ip 
10.1.0.129) from trust (ge-0/0/4.0/à4n/ 0) to) ge-0/0/2'.0, |\Next-hop?! /110.0/.1.129 
Aug 3 01:28:23 01:28:23.434863:CID-0:THREAD| ID-01:RT: 

flow first policy search: policy! search from zone trust» zone untrust) 

(0x0, 0xe6810016, 0x16) 
Aug 3/01:28:26 01:28:26.434137:CID-0:THREAD| ID-O021:RT: packet) dropped; denied 
by) policy, 
Aug) ANO: 28:26. 01:28:26.424137:CID-O0: THREAD ID-021:RT: denied by policy! Deny- 
Telnet (5), dropping pkt | 
(02 28:26 01:28:26.434138: PROT DAR REAR EDITOS NT: packet dropped) 


judi Abad deny. 


PU 


Fr 


Which two statements are ee about the output shown in the exhibit. (Choose 
two.) 

A. The source address wap ert 

B. The packet is an $8 packet 

C. The packet m es a user-configured policy 

D. The destinatión address is translated. 

Answer: A,B 


29.Which two types of source NAT translations are supported in this scenario? 
(Choose two.) 

A. translation of IPv4 hosts to IPv6 hosts with or without port address translation 

B. translation of one IPv4 subnet to one IPv6 subnet with port address translation 

C. translation of one IPv6 subnet to another IPv6 subnet without port address 
translation 

D. translation of one IPv6 subnet to another IPv6 subnet with port address translation 


Answer: AB 


30.Which statement is true about persistent NAT types? 

A. The target-host-port parameter cannot be used with IPv4 addresses in NAT46. 
B. The target-host parameter cannot be used with IPv6 addressee in NAT64. 

C. The target-host parameter cannot be used with IPv4 addresses inNAT46 

D. The target-host-port parameter cannot be used with IPv6 addresses in NAT64 
Answer: B 


31.Exhibit 


[edit security policies from-zone trusc to-zoóneuntrust policy Adaptive-Threat-— 
Profiling] 
userGsSRX-1£$ show 
match { 
source-address any; 
destination-address/any; 
application any; 


dynamic-application![/|junos:web:proxy junos:web:anonymizer ]; 
then { 
reject | 
application-services { 
security-intellagence | 
acd-source-ip-to-feed | 
Suspicious Endpoints; 
} 
) 
QU 


Referring to the exhibit, which tw@Statements are true? (Choose two.) 

A. The Suspicious Enadpoint3 f féed is only usable by the SRX-1 device. 

B. You must manually creg ihe suspicious_Endpoint3 feed in the Juniper ATP 
Cloud interface. 

C. The 3uspiciou3_ cibos feed is usable by any SAK Series device that is a part 
of the same realm && SRX-1 

D. Juniper ATP. Gloud automatically creates the 3uopi'cioua_Endpoints feed after you 
commit the security policy. 

Answer: A,C 


32.Exhibit 


p D "m i 


me 
3. 


$ j 


" i: 4 "11 

4 jn nn mm ni ihi dec it SERIE BERN 3 
Abi i iun] ttti t iil HT: | amen HT t " > r milis r -L-— - peas tte IM 
exter miointerfe Tul ji 


pama Kiini |) | / HH 
userGsrxf show stOÓ A JI | 
E a 
| family inet | (il ATI | fil Ht 

address 10. 10020 0. 11/24; 
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Referring to the exhibit, a spoke member of an ADVPN isdot functioning correctly. 
Which two commands will solve this problem? (Choose?two.) 
A) ~~ 
2 
G 


[edit interfaces] 
userGsrx$ set stO.0 multipoint 


LX 
«e 
B) rs 
mE sec ruby ike gateway advor ttia] 
serg srx# | set. advpn suggester isa! | 
>? 
C) d 
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A. Option A 


B. Option B 
C. Option C 
D. Option D 
Answer: BC 


33.In Juniper ATP Cloud, what are two different actions available in a threat 
prevention policy to deal with an infected host? (Choose two.) 

A. Send a custom message 

B. Close the connection. 

C. Drop the connection silently. 

D. Quarantine the host. 


Answer: BC e 
4 
ec 
& 
34.You are required to deploy a security policy on an SRX Sees device that blocks 
all known Tor network IP addresses. a 


Which two steps will fulfill this requirement? (Choose wa) 
A. Enroll the devices with Juniper ATP Appliance. a 
B. Enroll the devices with Juniper ATP Cloud. „` 


2 
C. Enable a third-party Tor feed. e 
D. Create a custom feed containing all currentiknown MAC addresses. 
Answer: AC e 
e 
e 
35.Exhibit . 
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EL. aig search: policy search nim ‘zone. Peete > zone; dmz: 


(0x0, Oredha0016, 0x16) HT VIT 
Eo 3 02:10:28 02:10:28.045191:Cz:H5- 9i THREAD ID-01:RT: packet dropped, denied 
by policy 
Rug 3 02:10:28 02:10:28.045192:CID^0:27HREAD!ID-OTI:RT:!denied|!by!policy 
default-policy-logical-sysctem-00/((2)/|dropping|pkt 
Aug 3 02:10:28 02:10:28/.045192:G02D0-0:TBREAD!ID-01:RT:| packet|i\dxopped, policy 
deny. 
Aug 3 02:10:28 02:10:23/.0452198;:CIDr7TO0:THREAD ID-O01:RT: 

flow) initiate first patn: first/pak/no session 


Which two statements are correct about the output shown in the exhibit? (Choose 
two.) 

A. The packet is processed as host inbound traffic. 

B. The packet matches the default security policy. 

C. The packet matches a configured security policy. 

D. The packet is processed in the first path packet flow. 

Answer: A,B 


36.Exhibit 


HIBHTHITIH 


| [edit] In PUTER ELT Ga 
user@SRX# show interfaces ge-0/0/4 | 
unit 0 { | 
family inet { 
address 192.168).100.1/32; 
} 
} 


[edit security) zones] 

user@SRX# show security-zone trust 

host-inbound-traffic | 
system-services, { 


netcon£f; 
) 
) 


interfaces. 
ge-0/07/4.0 t 
host-inbound-traffic ( 
System-services ( 


ssh; 


You are not able to ping the default gateway of 192.168 100 1 (or your network that is 
located on your SRX Series firewall. 

Referring to the exhibit, which two commands would correct the configuration of your 
SRX Series device? (Choose two.) 

A) 


(edit security zones security-zone trust) 


userQSRX$ set interfaces ge-0/0/4.0 hoóst-inbound-traffic system-services ping 


interfaces qe-0/0/4] HTT 
ISRX# replace pattern 32 with 24 


Tet dak security zones intinti Mitihani 
us sex@SRx# set host-inbound-traffic system-services ping 


D) 
: -— a 
ninpi i ui E y/genes securseynsone trust] 
is ii js AE s ie zum RR ping except 
Y 
A. Option A S 
B. Option B s 
C. Option C E 
D. Option D = 
Answer: AB y 
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userGSRX» show ethernet-switching global-information 


Global Configuration: 


MAC aging interval 300 
MAC learning Enabled 
MAC statistics Disabled 
MAC limit Count 65536 
MAC limit hit Disabled 
MAC packet action drop: Disabled 
MAC+IP aging interval IPv4 — 1200 seconds 
IPv6 — 1200 seconds 
MAC+IP limit Count : 65536 
MAC+IP limit reached No 
LE aging time 1200 
LE BD aging time 1200 
MP discard notification interval GO 
Global Mode 1 je t 
RE state taster 
VXLAN Overlay load bal Disabled 
VXLAN ECMP sal d 
cu 


You have configured the SRX Series devis to switch packets for multiple directly 
connected hosts that are within the samé broadcast domain However, the traffic 
between two hosts in the same broadcast domain are not matching any security 
policies "M 

Referring to the exhibit, what should you do to solve this problem? 

A. You must change the gleal mode to security switching mode. 

B. You must change the global mode to security bridging mode 

C. You must change thie global mode to transparent bridge mode. 

D. You must changé'ihe global mode to switching mode. 


Answer: B SS 


38. You are asked to download and install the IPS signature database to a device 
operating in chassis cluster mode. 

Which statement is correct in this scenario? 

A. You must download and install the IPS signature package on the primary node. 

B. The first synchronization of the backup node and the primary node must be 
performed manually. 

C. The first time you synchronize the IPS signature package from the primary node to 
the backup node, the primary node must be rebooted. 

D. The IPS signature package must be downloaded and installed on the primary and 


backup nodes. 


Answer: A 
39.Exhibit 

trust zone < untrust zone | trust zone 

ge-0/0/0 
Your Organization Former Competitor 
LESE BE (-2) stO AÉ um 
10.75.75.0/24 Your SRX 10:0.0.0/30 Former Competitor SRX  10.75.75.0/24 
S 

Your company recently acquired a competitor. You want to use using the same IPv4 
address space as your company. o? 
Referring to the exhibit, which two actions solve this problemgChoose two) 
A. Configure static NAT on the SRX Series devices. e 


B. Connect the competitor network using IPsec policy-baSed VPNs. 
C. Identify two neutral IPv4 address spaces for address translation. 


D. Configure IPsec Transport mode. e 
Answer: A,B x 
9 
AS 
e 
40.What are two valid modes for the Juniper ATP Appliance? (Choose two.) 
A. flow collector «e 
B. event collector e 
C. all-in-one "a 
D. core a 
Answer: C D o? 
$ 
e 
Mí 
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